Implement X509_get_signature_info()

This is a slightly strange combination of OBJ_find_sigid_algs() and the
security level API necessary because OBJ_find_sigid_algs() on its own
isn't smart enough for the special needs of RSA-PSS and EdDSA.

The API extracts the hash's NID and the pubkey's NID from the certificate's
signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA
for retrieving the corresponding information. This isn't entirely free
for RSA-PSS, but for now we don't cache this information.

The security bits calculation is a bit hand-wavy, but that's something
that comes along with this sort of numerology.

ok jsing

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libcrypto/evp/evp_local.h b/src/lib/libcrypto/evp/evp_local.h
index 3e90e068e6..5d541ffec4 100644
--- a/src/lib/libcrypto/evp/evp_local.h
+++ b/src/lib/libcrypto/evp/evp_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_local.h,v 1.23 2024/08/22 12:24:24 tb Exp $ */
+/* $OpenBSD: evp_local.h,v 1.24 2024/08/28 07:15:04 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -112,6 +112,9 @@ struct evp_pkey_asn1_method_st {
         int (*pkey_bits)(const EVP_PKEY *pk);
         int (*pkey_security_bits)(const EVP_PKEY *pk);
 
+        int (*signature_info)(const X509_ALGOR *sig_alg, int *out_md_nid,
+            int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags);
+
         int (*param_decode)(EVP_PKEY *pkey, const unsigned char **pder,
             int derlen);
         int (*param_encode)(const EVP_PKEY *pkey, unsigned char **pder);